13 matches found
SUSE CVE-2017-0889
Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery SSRF vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources...
GHSA-PHMW-PV3F-VVX7 Moderate severity vulnerability that affects paperclip
Withdrawn, accidental duplicate publish. The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting XSS attacks via a spoofed value, as demonstrat...
Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class.
Paperclip gem provides multiple ways a file can be uploaded to a web server. The vulnerability affects two of Paperclip’s IO adapters that accept URLs as attachment data UriAdapter and HttpUrlProxyAdapter. When these adapters are used, Paperclip acts as a proxy and downloads the file from the...
thoughtbot Paperclip ruby gem server-side request forgery vulnerability
The thoughtbot Paperclip ruby gem is an open source Ruby-based file attachment manager from thoughtbot, USA. A server-side request forgery vulnerability exists in the Paperclip::UriAdapter class in the thoughtbot Paperclip ruby gem 3.1.4 and later versions. An attacker can exploit this...
CVE-2017-0889
Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery SSRF vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources...
paperclip Cross-site Scripting vulnerability
The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting XSS attacks via a spoofed value, as demonstrated by image/jpeg...
GHSA-6JVM-3J5H-79F6 paperclip Cross-site Scripting vulnerability
The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting XSS attacks via a spoofed value, as demonstrated by image/jpeg...
RubyGems Paperclip Excessive Logging Content Spoofing Vulnerability
RubyGems Paperclip is a plugin for extending ActiveRecord ORM model and providing simple file attachment functionality. A content spoofing vulnerability exists in RubyGems Paperclip versions 4.2.2 through 4.3.5. An attacker can exploit this vulnerability to spoof content...
CVE-2015-2963
The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting XSS attacks via a spoofed value, as demonstrated by image/jpeg...
Cross site scripting
The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting XSS attacks via a spoofed value, as demonstrated by image/jpeg...
CVE-2015-2963
The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting XSS attacks via a spoofed value, as demonstrated by image/jpeg...
CVE-2015-2963
CVE-2015-2963 affects the thoughtbot Paperclip gem for Ruby pre‑4.2.2. The vulnerability arises because media-type validation does not consider the content-type, allowing remote attackers to upload HTML documents and trigger cross-site scripting (XSS) via spoofed values (e.g., image/jpeg). Impact...
Paperclip Gem for Ruby vulnerable to content type spoofing
There is an issue where if an HTML file is uploaded with a .html extension, but the content type is listed as being image/jpeg, this will bypass a validation checking for images. But it will also pass the spoof check, because a file named .html and containing actual HTML passes the spoof check...